Joseph D. Masterson quoted in article “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)”The Cybersecurity Law Report 08/12/15
Below is an excerpt:
In the wake of a material incident, companies should issue a supplemental disclosure right away, Joseph Masterson, a partner at Quarles & Brady, said. “The minimum responsibility is the annual obligation to disclose in the 10-K material information about special risks and then to update that information quarterly if it’s changed,” Masterson said. “If there is a major breach, they file an 8-K special report and not wait for the next cycle the way they would normally do it with an SEC filing.”
In other circumstances, the nature of the incident may not require an immediate supplemental disclosure, and the company may decide to instead include updated language in the next scheduled disclosure.
In addition, notes to the financial statements should include a management discussion and analysis of the cyber program, Masterson said.
Originally published in The Cybersecurity Law Report, August 12, 2015